Encryption at Rest Encryption in Transit Administrator Controls Application Access

Data Protection in Amazon AppStream 2.0

The AWS shared responsibility model applies to data protection in Amazon AppStream 2.0. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the Data Privacy FAQ. For information about data protection in Europe, see the AWS Shared Responsibility Model and GDPR blog post on the AWS Security Blog.

For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:

Use multi-factor authentication (MFA) with each account.
Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2.
Set up API and user activity logging with AWS CloudTrail.
Use AWS encryption solutions, along with all default security controls within AWS services.
Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2.

We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form fields such as a Name field. This includes when you work with AppStream 2.0 or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.

Encryption at Rest

AppStream 2.0 fleet instances are ephemeral in nature. After a user's streaming session is finished, the underlying instance and its associated Amazon Elastic Block Store (Amazon EBS) volume are terminated. In addition, AppStream 2.0 periodically recycles unused instances for freshness.

When you enable application settings persistence, home folders, session scripts, or usage reports your users, the data that is generated by your users and stored in Amazon Simple Storage Service buckets is encrypted at rest. AWS Key Management Service is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Amazon S3 uses AWS Managed CMKs to encrypt your Amazon S3 object data.

Encryption in Transit

The following table provides information about how data is encrypted in transit. Where applicable, other data protection methods for AppStream 2.0 are also listed.

Data	Network path	How protected
Web assets This traffic includes assets such as images and JavaScript files.	Between AppStream 2.0 users and AppStream 2.0	Encrypted using TLS 1.2
Pixel and related streaming traffic	Between AppStream 2.0 users and AppStream 2.0	Encrypted using 256-bit Advanced Encryption Standard (AES-256) Transported using TLS 1.2
API traffic	Between AppStream 2.0 users and AppStream 2.0	Encrypted using TLS 1.2 Requests to create a connection are signed using SigV4
Application settings and home folder data generated by users Applicable when application settings persistence and home folders are enabled.	Between AppStream 2.0 users and Amazon S3	Encrypted using Amazon S3 SSL endpoints
AppStream 2.0-managed traffic	Between AppStream 2.0 streaming instances and: AppStream 2.0 management services AWS services and resources in your Amazon Web Services account Non-AWS services and resources (such as Google Drive and Microsoft OneDrive)	Encrypted using TLS 1.2 Requests to create a connection are signed using SigV4 where applicable

Administrator Controls

AppStream 2.0 provides administrative controls that you can use to limit the ways in which users can transfer data between their local computer and an AppStream 2.0 fleet instance. You can limit or disable the following when you create or update an AppStream 2.0 stack:

Clipboard/copy and paste actions
File upload and download, including folder and drive redirection
Printing

When you create an AppStream 2.0 image, you can specify which USB devices are available to redirect to AppStream 2.0 fleet instances from the AppStream 2.0 client for Windows. The USB devices that you specify will be available for use during users’ AppStream 2.0 streaming sessions. For more information, see Qualify USB Devices for Use with Streaming Applications.

Application Access

By default, AppStream 2.0 enables the applications that you specify in your image to launch other applications and executable files on the image builder and fleet instance. This ensures that applications with dependencies on other applications (for example, an application that launches the browser to navigate to a product website) function as expected. Make sure that you configure your administrative controls, security groups, and other security software to grant users the minimum permissions required to access resources and transfer data between their local computers and fleet instances.

You can use application control software, such as Microsoft AppLocker, and policies to control which applications and files your users can run. Application control software and policies help you control the executable files, scripts, Windows installer files, dynamic-link libraries, and application packages that your users can run on AppStream 2.0 image builders and fleet instances.

Note

The AppStream 2.0 agent software relies on the Windows command prompt and Windows Powershell to provision streaming instances. If you choose to prevent users from launching the Windows command prompt or Windows Powershell, the policies must not apply to the Windows NT AUTHORITY\SYSTEM or users in the Administrators group.

Rule type	Action	Windows user or group	Name/Path	Condition	Description
Executable	Allow	NT AUTHORITY\System	*	Path	Required for the AppStream 2.0 agent software
Executable	Allow	BUILTIN\Administrators	*	Path	Required for the AppStream 2.0 agent software
Executable	Allow	Everyone	%PROGRAMFILES%\nodejs\*	Path	Required for the AppStream 2.0 agent software
Executable	Allow	Everyone	%PROGRAMFILES%\NICE\*	Path	Required for the AppStream 2.0 agent software
Executable	Allow	Everyone	%PROGRAMFILES%\Amazon\*	Path	Required for the AppStream 2.0 agent software
Executable	Allow	Everyone	%PROGRAMFILES%\<`default-browser`>\*	Path	Required for the AppStream 2.0 agent software when persistent storage solutions, such as Google Drive or Microsoft OneDrive for Business, are used. This exception is not required when AppStream 2.0 home folders are used.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security

Identity and Access Management